EU warns organisations to comply with new GDPR regulations, or face major fines.
What is GDPR?
The EU’s forthcoming General Data Protection Regulation – effective from 25th May 2018 – extends the rights of individuals over their personal data and requires businesses and organisations to ensure their policies are compliant with the new rules.
How will GDPR affect your organisation?
- The ICO recommends appointing or designating a Data Protection Officer who will be responsible for data protection and compliance with the new regulations
- Data controllers and processors will need to demonstrate their accountability to a greater extent
- Organisations will need to review their privacy policies to account for additional information that will need to be provided to data subjects
- The GDPR has increased individuals’ rights over their data so organisations may have to review their procedures here too
- Subjects will need to have easy access to their data
- Consent given to organisations to process individuals’ data will need to be verifiable – data subjects have increased rights where your legal basis for processing their data is simply their consent
- Children’s data will receive greater protection – to process data for children under 13 will need parental consent
- All organisations will need to implement (or review) procedures for detecting, reporting and investigating data breaches
Why does GDPR matter?
Recent high-profile security breaches, which have allowed personal details to be stolen and – in some cases – published on the internet, mean the protection of individuals’ data has never been more important.
A quick look at the Information Commissioner’s Office (ICO) website shows that, in the last year and a half alone, 208 UK organisations were issued with enforcement notices, financial penalties or prosecutions. The hefty list includes – among others – search engine providers, charities, healthcare trusts, police forces, universities, football clubs, airlines and small businesses – many of them familiar names.
Clearly then, this highlights the need for more rigorous data protection policies – and fast.
Talk Talk’s infamous 2015 data breach compromised the personal data of 157,000 of its customers. But the company hasn’t been the only target over the last three years. Tesco Bank, Sports Direct, Morrisons and the University of Staffordshire were among other well-known names who fell victim to data breaches. Alarmingly, Three mobile had the dubious honour of suffering breaches in 2016 and 2017.
Data breaches are becoming more frequent and more audacious – so preparation for compliance is key.
The fact that a 17-year old boy admitted being part of the Talk Talk breach demonstrates two possible scenarios – either organisations are worryingly complacent about data protection or they simply don’t understand the regulations. As far as the GDPR is concerned, it seems to be the latter. In a survey by Symantec, an incredible 96% of companies said they do not have a full understanding of the new regulations.
Fines issued by the ICO are hardly small – ranging from £6,000 to over £150,000 – however these sums pale in comparison when you consider the potential financial penalties for non-compliance from May 2018 onwards.
The GDPR will mean significantly higher penalties for non-compliance. Take the Talk Talk fine – £400,000, issued in October 2016. The new GDPR states that breaches of the rules could result in fines of 4% of annual global turnover or 20 million Euros – whichever is greater.
Clearly, the stakes have been raised and with revenues of £1.8bn in 2016, if the same were to happen again next year – well, you can do the maths.
DPA v GDPR
The International Association of Information Technology Asset Managers (IAITAM) reminds organisations that these regulations will have a global impact.
The fact that Britain is in the process of leaving the EU will make little difference – if your organisation holds the data of any EU citizens, even if yours is a non-EU organisation, you must still comply with the regulations.
How Cirro can help with GDPR compliance
Ensuring your organisation is compliant by May 2018 is critical and because the regulations include some huge changes in data management, now is the time to organise your strategy.
Clearly, the GDPR will place greater demands on the integrity of your IT infrastructure and security. Because the ICO is placing more emphasis on Privacy by Design, switching to a cloud-based environment offers the perfect opportunity to develop compliance from the outset.
The GDPR recommends organisations have appropriate storage, management and security facilities in place to ensure they have greater control over their data.
Cloud computing offers a dynamic alternative to traditional on-site processing and storage.
The changes to data protection law will present significant challenges for organisations:
- Increased demand for quick and easy access to individuals’ data
- The ability to sync data across multiple devices.
- The need for more stringent security measures where data is stored and processed
- The ability to scale storage needs up or down, depending on demand
What advantages does a private cloud offer?
Amazon Web Services (AWS) and Azure by Microsoft are among the biggest providers of public cloud services. Their reputation as secure providers to some of the world’s largest organisations is well-deserved – but size isn’t everything.
Because public cloud services can be supplied from anywhere in the world, there are implications for individuals’ rights – organisations will be bound to inform customers of the location of their data as part of GDPR compliance. Private cloud services have no such multiple-region issues.
Consider too the additional flexibility the GDPR will demand. Public cloud providers struggle to offer this kind of flexibility. Extended rights awarded to customers means data management will need to adapt as the legislation takes effect. Private cloud services are easily customisable – depending on your needs.
Ultimately, security is at the heart of data protection and a private cloud service offers renowned levels of safeguarding from data breaches and cyber-attacks. Cloud9 services offer a dedicated security zone built into its core environment using network protection software from industry–leaders, Cisco.
Ensuring your organisation’s Information Security Management System (ISMS) has certification to ISO27001 is vital and as planning and implementation can take from 3 months to a year and will be specific to your needs, it’s important to allow sufficient time to complete the task.
For more information on GDPR and the changes to Data Protection
The IOC has produced a checklist which outlines how organisations can prepare for the changes.